BeyondTrust Patch Tuesday

August 10, 2010

Microsoft Patch Disclosure

This month, Microsoft released 15 patches which repair a total of 35 vulnerabilities. Of these 15 patches, 11 address Remote Code Execution vulnerabilities and 4 address Elevation of Privilege vulnerabilities.
Both eEye's Blink® Professional and Blink® Personal Endpoint Security solutions protect from memory-corruption vulnerabilities generically without the need for any updates.

Administrators are advised to patch MS10-054, MS10-053, and MS10-056 immediately to prevent exploitation by attackers.
Next, administrators should patch MS10-049, 050, 051, 052, 055, 057, and 060 as soon as possible.
Lastly, administrators should patch MS10-047, 048, 058 and 059 at their earliest convenience.
As always, eEye suggests that all users apply Microsoft patches as fast as possible, preferably after testing the impact on internal applications and network continuity. For those who would like further information regarding the potential risks and remediation requirements of the patches announced today, please consider attending tomorrow's Vulnerability Expert Forum hosted by the eEye Security Research Team.

Web Event:
Vulnerability Expert Forum (VEF)

Presenters:
The eEye Research Team

Date/Time:
Wednesday August 11th at 11am PDT / 2pm EDT

BULLETIN / ADVISORY DETAILS

Microsoft Rating:

CVE:

CVE-2010-2568

Analysis:

A vulnerability exists in how Windows Shell processes LNK and PIF files. This could be exploited to give an attacker the ability to execute arbitrary remote code on a victim's system. To exploit this vulnerability, an attacker would need to attempt to convince a user to visit a malicious page controlled by the attacker. Alternative strategies have included exploiting the vulnerability through USB propagation. Stuxnet trojan used this technique successfully. The Windows shell would process a malicious icon embedded in a LNK/PIF file hosted on the site. This would exploit the vulnerability, giving the attacker privileges equal to the current user. If the user had Administrator privileges, the attacker would have gained complete control of the system.

Recommendation:

Administrators are urged to roll out this patch as soon as possible to vulnerable systems. Until this patch is rolled out, administrators should 1) disable LNK and PIF files from being downloaded, 2) Set the value of the default value in HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler and HKEY_CLASSES_ROOT\piffile\shellex\IconHandler to empty, 3) block the WebClient service from running on client machines, and 4) block outbound SMB connections for when machines connect to systems outside of the network.

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)

Microsoft Rating:

CVE List:

CVE-2010-1888, CVE-2010-1889, CVE-2010-1890

Analysis:

This patch addresses 2 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Attackers will likely use the privilege elevation vulnerabilities to transform browser-based vulnerabilities, such as CVE-2010-2559 in MS10-053, which execute remote code at the current user's level, into an attack that gains kernel-level privileges. This sort of combination will be a prime target for attackers.

Recommendation:

Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.

Microsoft Rating:

CVE List:

Analysis:

This patch addresses 4 privilege elevation vulnerabilities and 1 denial of service vulnerability within the Microsoft Windows Kernel. Similar to MS10-047, attackers will look for ways to gain user privileges on a target system and then exploit one or more of these vulnerabilities in the kernel. This would grant the attacker kernel-level access to the target machine. Attackers will be very interested in this kind of vulnerability, since it can be used to control all aspects of a system and launch further attacks at other computers.

Recommendation:

Currently, there are no workarounds for this bulletin. Administrators are strongly urged to update affected systems as soon as possible.

Microsoft Rating:

CVE List:

CVE-2009-3555, CVE-2010-2566

Analysis:

This patch addresses 1 remote code execution vulnerability and 1 spoofing vulnerability within the SChannel security package in Windows. Attackers will attempt to lure victims to view an attacker-controlled site, which will execute remote arbitrary code on the victim's machine.

Recommendation:

Administrators are urged to patch all affected systems as soon as possible. There is currently no workaround for the remote code execution vulnerability described in this bulletin. Until patches are complete, a workaround for the spoofing vulnerability can be made. Requires mutual authentication on IIS servers.

Microsoft Rating:

CVE:

CVE-2010-2564

Analysis:

A remote code execution vulnerability exists in Windows Movie Maker in how it parses the project file formats. If an attacker were to convince a user to open an attacker-provided Movie Maker project file, the vulnerability would be exploited and the user's system would become compromised, allowing the attacker to execute code at the same level as the currently logged on user.

Recommendation:

Administrators should patch affected systems at the soonest time after the critical patches have been applied. Until that can be done, administrators mitigate this threat by removing the .MSWMM file extension association in the registry. This can be done by deleting the HKEY_CLASSES_ROOT\.MSWMM key.

Microsoft Rating:

CVE:

CVE-2010-2561

Analysis:

A memory corruption vulnerability exists in Microsoft XML Core Services, when handling malformed HTTP responses. Attackers could leverage this vulnerability by tricking a user into visiting a malicious website. This could ultimately lead to remote code execution on the target's machine that would run at the same permissions as the current user.

Recommendation:

Administrators should roll out this patch as soon as possible. Until then, set a killbit on {F5078F35-C551-11D3-89B9-0000F81FE221} for Internet Explorer by setting its "Compatibility Flags" flag to dword:00000400.

Microsoft Rating:

CVE:

CVE-2010-1882

Analysis:

A buffer overflow vulnerability, which could lead to remote code execution, exists in the MPEG Layer-3 Audio Decoder on Windows. This can be exploited by tricking a user to view a site that will automatically play a crafted MP3 file. Alternatively attackers could spread the MP3 across peer-to-peer networks, disguising it as something like a newly released track from a famous artist. Upon successful exploitation, the attacker would have gained control of the affected system with the same rights as the current user.

Recommendation:

Administrators should roll out the patch as soon as possible. Until then, disable the use of l3codecx.ax on affected systems. In addition, remove the ClassID, {38BE3000-DBF4-11D0-860E-00A024CFEF6D}, from affected systems.

Recommendation:

Microsoft Rating:

CVE List:

CVE-2010-2550, CVE-2010-2551, CVE-2010-2552

Analysis:

This bulletin addresses 1 remote code execution vulnerability and 2 denial of service vulnerabilities. The remote code execution vulnerability will be of particular interest attackers, since it does not require the attacker to be authenticated. All the attacker needs to do is send a malicious SMB request and they would successfully compromise that server, which would allow them to run arbitrary remote code at kernel-level privileges. As of this writing, public proof of concept code exists for this vulnerability; which is being used by attackers in efforts to compromise and disable vulnerable systems.

Recommendation:

Roll out the patch to affected systems as soon as possible. Until this is done, block ports 139 and 445 at the public-facing firewall. Please note this vulnerability will also affect Windows 2000 systems, and due to Windows 2000 being End Of Lifed; there is no expected patch release to provide mitigation for this vulnerability.

Microsoft Rating:

CVE:

CVE-2010-2553

Analysis:

This bulletin addresses a remote code execution vulnerability within processing malformed media files encoded with Cinepack codecs. After exploiting this vulnerability, attackers will be able to execute remote code within the context of the currently logged on user.

Recommendation:

Administrators should push this patch to affected systems as soon as possible. Until this is possible, restrict access to iccvid.dll. In addition, modify the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32 (or HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32 for 64 bit systems) to remove the vidc.cvid value.

Microsoft Rating:

CVE List:

CVE-2010-1900, CVE-2010-1901, CVE-2010-1902, CVE-2010-1903

Analysis:

This bulletin addresses 4 remote code execution vulnerabilities in Microsoft Office Word (versions) while parsing malformed word files (extensions). These vulnerabilities would allow an attacker to create a specially-crafted file that includes malformed records or malicious rich text data, which would exploit the vulnerability. When a user opens the file, the vulnerability would be exploited, granting the attacker the ability to execute code within the context of the current user.

Recommendation:

Administrators are urged to patch all affected systems as soon as possible.

Microsoft Rating:

CVE:

CVE-2010-2562

Analysis:

This bulletin addresses a remote code execution vulnerability that exists, due to how Microsoft Office Excel parses Excel files. If an attacker were to convince a user to open an Excel file hosted on a site or sent through a spoofed email, the vulnerability would be exploited on the victim's system and would provide the attacker with the ability to execute remote arbitrary code on the victim's machine, within the context of the current user.

Recommendation:

Administrators are urged to roll out this patch to affected systems as soon as possible.

Microsoft Rating:

CVE List:

CVE-2010-1892, CVE-2010-1893

Analysis:

A privilege elevation vulnerability exists in how Microsoft Windows processes TCP/IP stacks. An attacker would need to be able to log into a system and run a malicious program that exploits this vulnerability, which would give the attacker system-level access to the machine. Attackers would likely use these compromised servers as a launching point for further attacks.

Recommendation:

Administrators are urged to push this patch out to affected systems as soon as they are able.

Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799)

Microsoft Rating:

CVE List:

CVE-2010-2554, CVE-2010-2555

Analysis:

A vulnerability exists in the Tracing Feature for Services in Microsoft Windows, which could allow for elevation of privileges. To successfully exploit this vulnerability, an attacker would need to log into the target machine, or gain access through the use of other means like browser exploits, and execute a malicious application. This would give an attacker complete control of the target system, from which they are likely to launch further attacks against other systems.

Recommendation:

Administrators are urged to push this patch out to affected systems as soon as they are able.

Vulnerabilities in the Microsoft .NET Common Language Runtime and in Microsoft Silverlight Could Allow Remote Code Execution (2265906)

Microsoft Rating:

CVE List:

CVE-2010-0019, CVE-2010-1898

Analysis:

This bulletin addresses 2 remote code execution vulnerabilities in Microsoft Silverlight, which allow the execution of unmanaged code, by an attacker. A user would be tricked into viewing an attacker-controlled site, which would host a malicious Silverlight application. Upon executing this application, the vulnerability on the victim's system would be exploited, giving the attacker the ability to run arbitrary code within the context of the current user. Additionally, web servers that allow uploading and running of ASP.NET code would be vulnerable to the vulnerability patched in this bulletin. A user would upload the code to exploit this vulnerability as a web page and then view it as it is parsed by the target web hosting server.

Recommendation:

Administrators are urged to push this patch out to affected systems as soon as they are able.

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.